CVE Catalog

CVE-2026-49948

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.06%

17th percentile - higher than 17% of all known CVEs

Summary

Mem0 versions up to 0.2.8 contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but does not validate the caller's role. Any authenticated user with a distributed API key can redirect traffic to an attacker-controlled server.

Risk Assessment

This vulnerability allows for the persistent introduction of malicious configuration into the PostgreSQL database, potentially affecting all users and API keys on the instance, posing a serious data security threat.

Recommendation

It is recommended to upgrade to Mem0 versions after 0.2.8 to eliminate this vulnerability and implement additional role verification mechanisms when modifying configurations.

Original NVD description (English source)

Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS